ADVISORIES
GEM
SEVERITY
CVSS v3.x: 7.5 (High)
PATCHED VERSIONS
- ~> 2.2.19
- ~> 3.1.17
- >= 3.2.2
DESCRIPTION
Summary
Rack::Multipart::Parser
can accumulate unbounded data when a
multipart part’s header block never terminates with the required
blank line (CRLFCRLF
). The parser keeps appending incoming bytes
to memory without a size cap, allowing a remote attacker to exhaust
memory and cause a denial of service (DoS).
Details
While reading multipart headers, the parser waits for CRLFCRLF
using:
@sbuf.scan_until(/(.*?\r
)\r
/m)
If the terminator never appears, it continues appending data
(@sbuf.concat(content)
) indefinitely. There is no limit on
accumulated header bytes, so a single malformed part can consume
memory proportional to the request body size.
Impact
Attackers can send incomplete multipart headers to trigger high memory use, leading to process termination (OOM) or severe slowdown. The effect scales with request size limits and concurrency. All applications handling multipart uploads may be affected.
Mitigation
-
Upgrade to a patched Rack version that caps per-part header size (e.g., 64 KiB).
-
Until then, restrict maximum request sizes at the proxy or web server layer (e.g., Nginx
client_max_body_size
).
RELATED
- https://nvd.nist.gov/vuln/detail/CVE-2025-61772
- https://github.com/rack/rack/security/advisories/GHSA-wpv5-97wm-hp9c
- https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e
- https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e
- https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd
- https://github.com/advisories/GHSA-wpv5-97wm-hp9c